We just published the first three parts of a multi-blog series on new phishing attacks that can exploit OAuth 2.0 authorization flows:
https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1
https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authentication-flows-part-2
https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authentication-flows-part-3
We believe there will be an increasing trend in phishing and other attacks that abuse the OAuth protocol itself in order to gain advantages such as: obtaining OAuth session tokens which bypass MFA and are practically permanent, as well as take advantage of quirks such as being able to spoof other applications easily.
This is based upon a Def Con 29 presentation given on August 7, 2021. Currently, there is more exposure for Microsoft O365/Azure users due to their implementation of the device authorization grant flow. However, much of the material applies to any use of OAuth within your organization.
Please let us know if you have questions or would like to discuss this in more detail.
